search

FreeRADIUS / freeradius-server

FreeRADIUS - A multi-protocol policy server.
http://freeradius.org
GNU General Public License v2.0
2.11k stars 1.08k forks source link

Failed test with EAP-TLS on Ubuntu 20.04 #3665

Closed collabaration closed 4 years ago

collabaration commented 4 years ago

**Problem Description When authenticating with a device using TLS 1.2, RADIUS server fails to authenticate the device. I have below settings in my freeradius setting: tls_min_version = "1.0" tls_max_version = "1.2"

But it seems the attempt TLS 1.3 because eap_peap received TLS 1.3. (2) eap_peap: <<< recv TLS 1.3 [length 000a] (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version

Below shows the message from freeradius: (2) Received Access-Request Id 243 from 172.54.1.4:1645 to 172.54.1.227:1812 length 358 (2) User-Name = "demodemo" (2) Service-Type = Framed-User (2) Cisco-AVPair = "service-type=Framed" (2) Framed-MTU = 1500 (2) Called-Station-Id = "00-87-31-DE-08-05" (2) Calling-Station-Id = "00-19-0B-84-0E-BE" (2) EAP-Message = 0x0203006919800000005f160301005a01000056030157aa65fa7ae149fef88d0c479bddcd5b6be576255309866fcc96cacde1f3847600002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 (2) Message-Authenticator = 0x41a4fd1a5e7ea5e213c0be2d8027ecd7 (2) Cisco-AVPair = "audit-session-id=AC360104000000374FF9FBFF" (2) Cisco-AVPair = "method=dot1x" (2) NAS-IP-Address = 172.54.1.4 (2) NAS-Port-Id = "GigabitEthernet0/5" (2) NAS-Port-Type = Ethernet (2) NAS-Port = 50105 (2) State = 0xd7291c1ed62a05828663ed96b80d16bf (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]@/ ) { (2) if (&User-Name =~ /@[^@]@/ ) -> FALSE (2) if (&User-Name =~ /../ ) { (2) if (&User-Name =~ /../ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (2) if (&User-Name =~ /.$/) { (2) if (&User-Name =~ /.$/) -> FALSE (2) if (&User-Name =~ /@./) { (2) if (&User-Name =~ /@./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "demodemo", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 3 length 105 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xd7291c1ed62a0582 (2) eap: Finished EAP session with state 0xd7291c1ed62a0582 (2) eap: Previous EAP request found for state 0xd7291c1ed62a0582, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 95 bytes (2) eap_peap: Got complete TLS record (95 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 005a] (2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version (2) eap_peap: ERROR: TLS Alert write:fatal:protocol version tls: TLS_accept: Error in error (2) eap_peap: ERROR: Failed in FUNCTION (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (2) eap_peap: ERROR: System call (I/O) error (-1) (2) eap_peap: ERROR: TLS receive handshake failed during operation (2) eap_peap: ERROR: [eaptls process] = fail (2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (2) eap: Sending EAP Failure (code 4) ID 3 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) sql: EXPAND .query (2) sql: --> .query (2) sql: Using query template 'query' rlm_sql (sql): Reserved connection (3) (2) sql: EXPAND %{User-Name} (2) sql: --> kbarron (2) sql: SQL-User-Name set to 'kbarron' (2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (2) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kbarron', '', 'Access-Reject', '2020-09-24 21:11:13') (2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kbarron', '', 'Access-Reject', '2020-09-24 21:11:13') (2) sql: SQL query returned: success (2) sql: 1 record(s) updated rlm_sql (sql): Released connection (3) (2) [sql] = ok (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> kbarron (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 243 from 172.54.1.227:1812 to 172.54.1.4:1645 length 44 (2) EAP-Message = 0x04030004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 241 with timestamp +20

Below is my config:

FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/sql including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/pap including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/realm including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/operator-name including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client radius_srv { ipaddr = 172.54.1.4 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled

Creating Auth-Type = mschap

Creating Auth-Type = digest

Creating Auth-Type = eap

Creating Auth-Type = PAP

Creating Auth-Type = CHAP

Creating Auth-Type = MS-CHAP

radiusd: #### Instantiating modules #### modules {

Loaded module rlm_utf8

Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8

Loaded module rlm_chap

Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap

Loaded module rlm_unpack

Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack

Loaded module rlm_radutmp

Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp

radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes }

Loaded module rlm_dynamic_clients

Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients

Loaded module rlm_files

Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files

files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" }

Loaded module rlm_exec

Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo

exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes }

Loaded module rlm_eap

Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap

eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 }

Loaded module rlm_sql

Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql

sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radiusadmin" password = <<< secret >>> radius_db = "radiusdb" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safecharacters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-: /" auto_escape = no accounting { reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group

Loaded module rlm_expiration

Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration

Loaded module rlm_pap

Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap

pap { normalise = yes }

Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec

exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 }

Loaded module rlm_logintime

Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime

logintime { minimum_timeout = 60 }

Loaded module rlm_preprocess

Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess

preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no }

Loaded module rlm_linelog

Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog

linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" }

Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog

linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" }

Loaded module rlm_expr

Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr

expr { safecharacters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" }

Loaded module rlm_replicate

Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate

Loaded module rlm_always

Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always

always reject { rcode = "reject" simulcount = 0 mpp = no }

Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always

always fail { rcode = "fail" simulcount = 0 mpp = no }

Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always

always ok { rcode = "ok" simulcount = 0 mpp = no }

Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always

always handled { rcode = "handled" simulcount = 0 mpp = no }

Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always

always invalid { rcode = "invalid" simulcount = 0 mpp = no }

Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always

always userlock { rcode = "userlock" simulcount = 0 mpp = no }

Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always

always notfound { rcode = "notfound" simulcount = 0 mpp = no }

Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always

always noop { rcode = "noop" simulcount = 0 mpp = no }

Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always

always updated { rcode = "updated" simulcount = 0 mpp = no }

Loaded module rlm_mschap

Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap

mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no }

Loaded module rlm_unix

Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix

unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group

Loaded module rlm_attr_filter

Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no }

Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no }

Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter

attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no }

Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter

attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no }

Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter

attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no }

Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp

radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no }

Loaded module rlm_detail

Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }

Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }

Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }

Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }

Loaded module rlm_soh

Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh

soh { dhcp = yes }

Loaded module rlm_cache

Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap

cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no }

Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth

exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes }

Loaded module rlm_passwd

Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd

passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 }

Loaded module rlm_digest

Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest

Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail

detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no }

Loaded module rlm_realm

Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm

realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no }

Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm

realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no }

Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm

realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no }

Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm

realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no }

Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm

realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } instantiate { }

Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files

reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy

Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap

Linked to sub-module rlm_eap_md5

Linked to sub-module rlm_eap_leap

Linked to sub-module rlm_eap_gtc

gtc { challenge = "Password: " auth_type = "PAP" }

Linked to sub-module rlm_eap_tls

tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/server.key" certificate_file = "/etc/freeradius/3.0/certs/server.pem" ca_file = "/etc/freeradius/3.0/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Please use tls_min_version and tls_max_version instead of disable_tlsv1 Please use tls_min_version and tls_max_version instead of disable_tlsv1_2

Linked to sub-module rlm_eap_ttls

ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation

Linked to sub-module rlm_eap_peap

peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation

Linked to sub-module rlm_eap_mschapv2

mschapv2 { with_ntdomain_hack = no send_error = no }

Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql

rlm_sql_mysql: libmysql version: 8.0.21 mysql { tls { tls_required = no check_cert = no check_cert_cn = no } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radiusdb" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 8.0.21-0ubuntu0.20.04.4, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 8.0.21-0ubuntu0.20.04.4, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 8.0.21-0ubuntu0.20.04.4, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 8.0.21-0ubuntu0.20.04.4, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 8.0.21-0ubuntu0.20.04.4, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 8.0.21-0ubuntu0.20.04.4, protocol version 10

Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration

Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap

Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime

Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess

reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints

Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog

Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog

Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always

Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap

rlm_mschap (mschap): using internal authentication

Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy

Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy

Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject

Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge

Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response

Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output

Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap

rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked

Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd

rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no

Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail

Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm

Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm

Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm

Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm

Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm

} # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default

Loading authenticate {...}

Loading authorize {...}

Ignoring "ldap" (see raddb/mods-available/README.rst)

Loading preacct {...}

Loading accounting {...}

Loading post-proxy {...}

Loading post-auth {...}

} # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel

Loading authenticate {...}

Loading authorize {...}

Loading session {...}

Loading post-proxy {...}

Loading post-auth {...}

Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336

} # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 }

Is there a recommended configuration that can be applied for TLS 1.2 with Freeradius?

alandekok commented 4 years ago

There is no standard for TLS 1.3 and EAP-TLS. You say:

When authenticating with a device using TLS 1.2,

Except the device is not using TLS 1.2. It's using TLS 1.3. The debug log shows this.

Try 3.0.21, which has better debugging. But in the end, configure the device to not use TLS 1.3.